Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RSYSLOGD(8)		  Linux	System Administration		   RSYSLOGD(8)

       rsyslogd	- reliable and extended	syslogd

       rsyslogd	 [  -d ] [ -D ]	[ -f config file ] [ -i	pid file ] [ -n	] [ -N
       level ] [ -C ] [	-v ]

       Rsyslogd	is a system utility providing  support	for  message  logging.
       Support	of  both internet and unix domain sockets enables this utility
       to support both local and remote	logging.

       Note that this version of rsyslog ships with extensive documentation in
       html  format.   This is provided	in the ./doc subdirectory and probably
       in a separate package if	you installed rsyslog via a packaging  system.
       To  use rsyslog's advanced features, you	need to	look at	the html docu-
       mentation, because the man pages	only covers basic  aspects  of	opera-
       tion.  For details and configuration examples, see the rsyslog.conf (5)
       man page	and the	online documentation at

       Rsyslogd(8) is derived from the sysklogd	package	which in turn  is  de-
       rived from the stock BSD	sources.

       Rsyslogd	provides a kind	of logging that	many modern programs use.  Ev-
       ery logged message contains at least a time and a hostname field,  nor-
       mally  a	 program  name	field, too, but	that depends on	how trusty the
       logging program is. The rsyslog package	supports  free	definition  of
       output  formats	via templates. It also supports	precise	timestamps and
       writing directly	to databases. If the database option  is  used,	 tools
       like phpLogCon can be used to view the log data.

       While the rsyslogd sources have been heavily modified a couple of notes
       are in order.  First of all there has been a systematic attempt to  en-
       sure  that  rsyslogd  follows  its  default,  standard BSD behavior. Of
       course, some configuration file changes are necessary in	order to  sup-
       port  the  template  system.  However, rsyslogd should be able to use a
       standard	syslog.conf and	act like the  original	syslogd.  However,  an
       original	 syslogd  will not work	correctly with a rsyslog-enhanced con-
       figuration file.	At best, it will generate funny	 looking  file	names.
       The  second  important concept to note is that this version of rsyslogd
       interacts transparently with the	version	of syslog found	in  the	 stan-
       dard  libraries.	  If  a	binary linked to the standard shared libraries
       fails to	function correctly we would like an example of	the  anomalous

       The  main configuration file /usr/local/etc/rsyslog.conf	or an alterna-
       tive file, given	with the -f option, is read  at	 startup.   Any	 lines
       that  begin with	the hash mark (``#'') and empty	lines are ignored.  If
       an error	occurs during parsing the error	 element  is  ignored.	It  is
       tried to	parse the rest of the line.

       -D     Runs  the	 Bison config parser in	debug mode. This may help when
	      hard to find syntax errors are reported. Please  note  that  the
	      output  generated	is deeply technical and	orignally targeted to-
	      wards developers.

       -d     Turns on debug mode. See the DEBUGGING section for more informa-

       -f config file
	      Specify  an  alternative	configuration file instead of /usr/lo-
	      cal/etc/rsyslog.conf, which is the default.

       -i pid file
	      Specify an alternative pid file  instead	of  the	 default  one.
	      This  option  must  be  used  if	multiple instances of rsyslogd
	      should run on a single machine.

       -n     Avoid auto-backgrounding.	 This  is  needed  especially  if  the
	      rsyslogd is started and controlled by init(8).

       -N  level
	      Do  a  coNfig check. Do NOT run in regular mode, just check con-
	      figuration file correctness.  This option	is meant to  verify  a
	      config file. To do so, run rsyslogd interactively	in foreground,
	      specifying -f <config-file> and -N level.	  The  level  argument
	      modifies	behaviour.  Currently, 0 is the	same as	not specifying
	      the -N option at all (so this makes limited sense) and  1	 actu-
	      ally  activates  the  code.  Later, higher levels	will mean more
	      verbosity	(this is a forward-compatibility option).

       -C     This prevents rsyslogd from changing to the root directory. This
	      is  almost  never	a good idea in production use. This option was
	      introduced in support of the internal testbed.

       -v     Print version and	exit.

       Rsyslogd	reacts to a set	of signals.  You may easily send a  signal  to
       rsyslogd	using the following:

	      kill -SIGNAL $(cat /var/run/

       Note  that -SIGNAL must be replaced with	the actual signal you are try-
       ing to send, e.g. with HUP. So it then becomes:

	      kill -HUP	$(cat /var/run/

       HUP    This lets	rsyslogd perform close all open	files.

       TERM ,  INT ,  QUIT
	      Rsyslogd will die.

       USR1   Switch debugging on/off.	This option can	only be	used if	 rsys-
	      logd is started with the -d debug	option.

       CHLD   Wait for childs if some were born, because of wall'ing messages.

       There  is the potential for the rsyslogd	daemon to be used as a conduit
       for a denial of service attack.	A rogue	program(mer) could very	easily
       flood  the  rsyslogd  daemon  with syslog messages resulting in the log
       files consuming all the remaining space on the filesystem.   Activating
       logging	over the inet domain sockets will of course expose a system to
       risks outside of	programs or individuals	on the local machine.

       There are a number of methods of	protecting a machine:

       1.     Implement	kernel firewalling to limit which  hosts  or  networks
	      have access to the 514/UDP socket.

       2.     Logging  can  be	directed to an isolated	or non-root filesystem
	      which, if	filled,	will not impair	the machine.

       3.     The ext2 filesystem can be used which can	be configured to limit
	      a	 certain  percentage  of  a  filesystem	to usage by root only.
	      NOTE that	this will require rsyslogd to be  run  as  a  non-root
	      process.	 ALSO NOTE that	this will prevent usage	of remote log-
	      ging on the default port since rsyslogd will be unable  to  bind
	      to the 514/UDP socket.

       4.     Disabling	 inet  domain sockets will limit risk to the local ma-

   Message replay and spoofing
       If remote logging is enabled, messages can easily be  spoofed  and  re-
       played.	 As  the  messages  are	transmitted in clear-text, an attacker
       might use the information  obtained  from  the  packets	for  malicious
       things.	Also,  an  attacker  might replay recorded messages or spoof a
       sender's	IP address, which could	lead to	a wrong	perception  of	system
       activity.  These	 can  be prevented by using GSS-API authentication and
       encryption. Be sure to think about syslog network security  before  en-
       abling it.

       When  debugging is turned on using the -d option, rsyslogd produces de-
       bugging information according to	the RSYSLOG_DEBUG environment variable
       and  the	 signals  received. When run in	foreground, the	information is
       written to stdout. An additional	output file can	be specified using the
       RSYSLOG_DEBUGLOG	environment variable.

	      Configuration  file for rsyslogd.	 See rsyslog.conf(5) for exact
	      The Unix domain socket to	from where local syslog	 messages  are
	      The file containing the process id of rsyslogd.
	      Default  directory for rsyslogd modules. The prefix is specified
	      during compilation (e.g. /usr/local).
	      Controls runtime debug support. It  contains  an	option	string
	      with the following options possible (all are case	insensitive):

	      Debug  Turns  on	debugging  and	prevents forking. This is pro-
		     cessed earlier in the startup than	command	 line  options
		     (i.e.  -d)	 and as	such enables earlier debugging output.
		     Mutually exclusive	with DebugOnDemand.
		     Enables debugging but turns off debug output. The	output
		     can  be  toggled  by  sending SIGUSR1. Mutually exclusive
		     with Debug.
		     Print out the logical flow	of functions (entering and ex-
		     iting them)
		     Specifies	which  files  to trace LogFuncFlow. If not set
		     (the default), a LogFuncFlow trace	is  provided  for  all
		     files.  Set  to limit it to the files specified.FileTrace
		     may be specified multiple times, one file each (e.g.  ex-
		     port   RSYSLOG_DEBUG="LogFuncFlow	 FileTrace=vm.c	 File-
		     Print the content of the debug function database whenever
		     debug information is printed (e.g.	abort case)!
		     Print  all	 debug information immediately before rsyslogd
		     exits (currently not implemented!)
		     Print mutex action	as  it	happens.  Useful  for  finding
		     deadlocks and such.
		     Do	 not  prefix log lines with a timestamp	(default is to
		     do	that).
		     Do	not emit debug messages	to stdout. If RSYSLOG_DEBUGLOG
		     is	 not  set, this	means no messages will be displayed at
	      Help   Display a very short list of commands - hopefully a  life
		     saver if you can't	access the documentation...

	      If  set,	writes (almost)	all debug message to the specified log
	      file in addition to stdout.
	      Provides the default directory in	which loadable modules reside.

       Please review the file BUGS for up-to-date information  on  known  bugs
       and annoyances.

Further	Information
       Please visit for additional information, tu-
       torials and a support forum.

       rsyslog.conf(5),	  logger(1),   syslog(2),   syslog(3),	  services(5),

       rsyslogd	is derived from	sysklogd sources, which	in turn	was taken from
       the BSD sources.	Special	thanks	to  Greg  Wettstein  (greg@wind.enjel-	and Martin Schulze ( for the fine	sysklogd pack-

       Rainer Gerhards
       Adiscon GmbH
       Grossrinderfeld,	Germany

Version	8.6.0			  02 Dec 2014			   RSYSLOGD(8)


Want to link to this manual page? Use this URL:

home | help